software-defined networking (SDN) is a network architecture in which control and forwarding are separate. In the SDN architecture, control functions of network devices are abstracted to a controller, and the controller delivers flow entries to the network devices. The network device receives and stores the flow entry delivered by the controller, and operates a data flow according to the flow entry, for example, performing such operations as forwarding, dropping, and modifying the data flow.
Such flow-based control of SDN makes extremely quick consumption of a flow table of a switch, while a hardware flow table of an SDN switch is generally implemented by using a TCAM (Ternary Content-Addressable Memory, ternary content-addressable memory). However, the TCAM has a limited capacity. Therefore, an attacker may forge a large quantity of data flows, so that the controller adds a large quantity of flow entries to the flow table of the switch, or even fills up the flow table of the switch. When no more flow entries can be added to the flow table of the switch, the switch needs to delete an existing flow entry to make room for a new flow entry.
It can be learnt from the foregoing that, when a switch is attacked, the switch receives a large quantity of attack data flows in a short time. However, these attack data flows are not matched to flow entries stored in the switch. Therefore, the switch needs to send packet_in packets to the controller to obtain flow entries that match the attack data flows. However, because a flow table of the switch has a limited capacity, flow entries of normal data flows are replaced out of the switch with the flow entries of the attack data flows. Consequently, a normal data flow has no hit, and a latency for processing the normal data flow is increased.